risk assessment mitigation phase risk mitigation plan ... · 310073 risk assessment mitigation...
TRANSCRIPT
310073
Risk Assessment Mitigation Phase Risk Mitigation Plan
Unmanned Aircraft System Incident (Chapter SDG&E-11)
November 30, 2016
Page SDGE 11-i 310073
TABLE OF CONTENTS 1 Purpose........................................................................................................................................... 3
2 Background ................................................................................................................................... 4
3 Risk Information ........................................................................................................................... 4
3.1 Risk Classification ............................................................................................................. 5
3.2 Potential Drivers ............................................................................................................... 5
3.3 Potential Consequences .................................................................................................... 7
3.4 Risk Bow Tie ...................................................................................................................... 9
4 Risk Score ...................................................................................................................................... 9
4.1 Risk Scenario – Reasonable Worst Case ...................................................................... 10
4.2 2015 Risk Assessment ..................................................................................................... 10
4.3 Explanation of Health, Safety, and Environmental Score .......................................... 11
4.4 Explanation of Other Impact Scores ............................................................................. 12
4.5 Explanation of Frequency Score ................................................................................... 13
5 Baseline Risk Mitigation Plan .................................................................................................... 13
6 Proposed Risk Mitigation Plan .................................................................................................. 15
7 Summary of Mitigations ............................................................................................................. 17
8 Risk Spend Efficiency ................................................................................................................. 23
8.1 General Overview of Risk Spend Efficiency Methodology ......................................... 23 8.1.1 Calculating Risk Reduction ................................................................................248.1.2 Calculating Risk Spend Efficiency .....................................................................24
8.2 Risk Spend Efficiency Applied to This Risk ................................................................. 25
8.3 Risk Spend Efficiency Results........................................................................................ 26
9 Alternatives Analysis .................................................................................................................. 26
9.1 Alternative 1 – Increase Contractor Responsibility .................................................... 26
9.2 Alternative 2 – Continue In-House and Contractor Engagement .............................. 27
Page SDGE 11-ii 310073
Figure 1: Swiss Cheese Model of Hazards and Losses ...................................................................8 Figure 2: Risk Bow Tie ....................................................................................................................9Figure 3: Formula for Calculating RSE ........................................................................................25Figure 4: Risk Spend Efficiency .....................................................................................................26
Table 1: Risk Classification per Taxonomy .....................................................................................5Table 2 Risk Drivers .......................................................................................................................6Table 3: Risk Score ........................................................................................................................11Table 4: Risk Mitigation Plan Overview .......................................................................................19Table 5: Proposed Risk Mitigation Plan Overview .......................................................................21
Page SDGE 11-1 310073
Executive Summary The Unmanned Aircraft System (UAS) Incident risk incident involves an employee, contractor, subcontractor, third party or parties, or external entities operating a UAS which results in damage to SDG&E infrastructure. This is considered by SDG&E to be an emerging risk due to the relatively new and evolving technology. To mitigate this risk in 2015, SDG&E’s baseline mitigation plan consisted of the following requirements and best practices:
UAS Weight Limitations – SDG&E restricted the acquisition of any UAS with a weight in excess of 55 pounds to lessen the severity of an aircraft accident. Pilot in Command Experience and Training Requirements – Federal Aviation Administration (FAA) regulations required licensed recreational pilots to operate a commercial UAS. UAS Software and Hardware Checked Prior to Flight – SDG&E systematically checked UAS software and hardware for latest upgrades as a best practice. Flights Not Conducted Near Aircraft, People or Within Five Miles of an Airport Without Air Traffic Control Permission – SDG&E UAS maintained distance from the general public and private property, and suspended flight operations as safety measures. Compliance with state and Federal UAS Regulations – SDG&E monitored state and federal rules and regulations concerning UAS.
These controls focus on safety-related impacts (i.e., Health, Safety, and Environment) per guidance provided by the Commission in Decision 16-08-018 as well as controls and mitigations that may address reliability. The 2015 baseline mitigations will continue to be performed in the proposed plan. In addition, SDG&E proposes to add new mitigations to further address the UAS Incident risk including:
Develop and Implement a UAS Safety Management System – a systematic approach to managing safety to better capture, analyze, and understand performance information and flight data, leading to programmatic changes that prevent failures. Develop a UAS Training Program for SDG&E Employees – the policy and procedure foundation for SDG&E employees upon which all operations would be based. Develop Contractor Qualification, Oversight and Audit Program – a third-party assessment of SDG&E’s operational processes allowing external input into an otherwise internal workflow. Develop Flight Management Controls – fleet management software to monitor, track, and maintain aircraft data. Research Best Use Cases for Specific Systems as Technology Advances – the utilization of outside vendors and consultants to incorporate the latest opportunities for safety, efficiency, and efficacy into SDG&E’s UAS operations.
The risk spend efficiency was developed for UAS Incident. The risk spend efficiency is a new tool that was developed to attempt to quantify how the proposed mitigations will incrementally reduce risk. For purpose of calculating the risk spend efficiency, SDG&E grouped the six proposed mitigations into one, aggregated mitigation: an effective UAS safety program. SDG&E’s Subject Matter Experts determined that implementing the proposed aggregated mitigation would move the 2015 UAS Incident frequency
Page SDGE 11-2 310073
score from a 2 to a score of 1 on SDG&E’s 7X7 risk matrix. Because Effective UAS Safety Program is the only proposed mitigation for purposes of calculating the risk spend efficiency, there is no relative ranking or risk prioritization for the risk of UAS Incident.
Page SDGE 11-3 310073
Risk: Unmanned Aircraft System Incident 1 PurposeThe purpose of this chapter is to present the mitigation plan of San Diego Gas & Electric Company (SDG&E or Company) for the risks associated with Unmanned Aircraft System (UAS) flight. This is considered by SDG&E to be an emerging risk as the UAS technology is evolving. SDG&E understands that any flight operation will have certain inherent hazards that must be evaluated for overall severity and likelihood. SDG&E considers the risk of UAS Incident to be an incident involving an employee, contractor, or subcontractor operating a UAS which damages any SDG&E infrastructure (including electric transmission/distribution), causes injury and/or death, and/or causes a major outage in service. This risk is specific to UASs employed by or UAS flights in support of SDG&E’s operations. Direct and indirect damage are also accounted for in these evaluations of risk, as they directly impact the cost accountancy of accidents or incidents associated with a UAS incident.1 While infrastructure damage, aircraft loss, and potential injury may be the most obvious risk to an operation, there are also associated indirect costs such as loss in reputation or public image for SDG&E or loss of internal support for this nascent UAS program.
This risk is a product of SDG&E’s September 2015 annual risk registry assessment cycle. Any events that occurred after that time were not considered in determining the 2015 risk assessment, in preparation for this Report. Note that while 2015 is used a base year for mitigation planning, risk management has been occurring, successfully, for many years within the Company. SDG&E and Southern California Gas Company (SoCalGas) (collectively, the utilities) take compliance and managing risks seriously, as can be seen by the number of actions taken to mitigate each risk. This is the first time, however, that the utilities have presented a Risk Assessment Mitigation Phase (RAMP) Report, so it is important to consider the data presented in this plan in that context. The baseline mitigations are determined based on the relative expenditures during 2015; however, the utilities do not currently track expenditures in this way, so the baseline amounts are the best effort of the utility to benchmark both capital and operations and maintenance (O&M) costs during that year. The level of precision in process and outcomes is expected to evolve through work with the California Public Utilities Commission (Commission or CPUC) and other stakeholders over the next several General Rate Case (GRC) cycles.
The Commission has ordered that RAMP be focused on safety related risks and mitigating those risks.2In many risks, safety and reliability are inherently related and cannot be separated, and the mitigations reflect that fact. Compliance with laws and regulations is also inherently tied to safety and the utilities take those activities very seriously. In all cases, the 2015 baseline mitigations include activities and amounts necessary to comply with the laws in place at that time. Laws rapidly evolve, however, so the RAMP baseline has not taken into account any new laws that have been passed since September 2015. Some proposed mitigations, however, do take into account those new laws.
1 http://www2.worksafebc.com/Topics/YoungWorker/Resources-FocusReport2011.asp?reportID=36320.2 Commission Decision (D.) 14-12-025 at p. 31.
Page SDGE 11-4 310073
The purpose of RAMP is not to request funding. Any funding requests will be made in the GRC. The forecasts for mitigation are not for funding purposes, but are rather to provide a range for the future GRC filing. This range will be refined with supporting testimony in the GRC. Although some risks have overlapping costs, the utilities have made efforts to identify those costs.
The risk assessment provided herein focuses on the drivers or hazards and potential resulting events for which SDG&E is aware,3 and about which the leading regulatory and professional organizations that deal with UAS flight are most concerned.4 Hazards and events that are unknown to SDG&E are beyond the scope of this risk; however, SDG&E is making every effort to create a system by which new hazards can be identified quickly, moved upwards continuously, and evaluated through empowered employees and contractors, such that new risks will be captured and evaluated pro-actively. Any and all actions that could result in a UAS incident as a result of an employee, contractor, subcontractor, third party or parties, or external entities, flying UAS in support of SDG&E missions, is within the scope of this risk.Lastly, activities that mitigate a UAS coming into contact with SDG&E’s electrical equipment are being addressed as part of the Risk Assessment Mitigation Phase (RAMP) risk of Electric Infrastructure Integrity. Likewise, mitigation activities concerning potential acts of terrorism and other security-related items are being addressed in the RAMP risk of Public Safety Events – Electric.
2 Background
SDG&E’s Aviation Services Department (ASD) supports electric transmission, electric distribution, and gas operations with manned and unmanned aircraft. Manned operations are primarily flown with rotary wing aircraft and include: scheduled powerline patrols, fault patrols, infrared camera patrols, vegetation management surveys, external load work, LiDAR5 data collections, and aerial assessments. In addition, ASD provides an air-rescue capability to structures and areas that are accessible by helicopter only, and in close proximity to powerlines. Unmanned operations include pole-top and structure integrity assessments, environmental and sensitive area surveys, LiDAR data collection, and post storm or fire damage assessments.
3 Risk Information
As stated in the testimony of Jorge M. DaSilva in the Safety Model Assessment Proceeding (S-MAP) Application (A.) 15-05-002, “SDG&E is moving towards a more structured approach to classifying risks and mitigations through the development of its new risk taxonomy. The purpose of the risk taxonomy is to define a rational, logical and common framework that can be used to understand analyze and categorize risks.”6 The Enterprise Risk Management (ERM) process and lexicon that SDG&E has put in
3 SDG&E Aviation Services Department. SDG&E Draft Aircraft Operations Manual, Draft Version 1. June 2016. 4 14 Code of Federal Regulations (CFR) Part 107 (NPRM Operation and Certification of Small Unmanned Aircraft Systems). https://www.faa.gov/regulations_policies/rulemaking/recently_published/media/2120-AJ60_NPRM_2-15-2015_joint_signature.pdf.5 LiDAR stands for Light Detection and Ranging. According to https://www.LiDARusa.com, it is “used to detect and measure the distance of an object or surface from an optical source.” 6 A.15-05-002, filed May 1, 2015, at p. JMD-7.
Page SDGE 11-5 310073
place was built on the internationally-accepted IS0 31000 risk management standard. In the application and evolution of this process, the Company is committed to increasing the use of quantification within its evaluation and prioritization of risks.7 This includes identifying leading indicators of risk. Sections 3 – 9 of this plan describe the key outputs of the ERM process and resultant risk mitigations.
In accordance with the ERM process, this section describes the risk classification, possible drivers and potential consequences of the Aviation Incident risk.
3.1 Risk Classification Consistent with the taxonomy presented by SDG&E and SoCalGas in A.15-05-002, SDG&E classifies this risk as an electric, operational risk as shown in Table 1.
Table 1: Risk Classification per Taxonomy
Risk Type Asset/FunctionCategory
Asset/Function Type
OPERATIONAL ELECTRIC TRANSMISSION/DISTRIBUTION/SUBSTATION
3.2 Potential Drivers8
When performing the risk assessment for UAS Incident, SDG&E identified, categorized, and evaluated potential leading indicators, referred to as drivers. The term “drivers” is consistent with the risk lexicon approved by the California Public Utilities Commission in the S-MAP Decision, Decision (D.) 16-08-018. However, in accordance with industry best practices within the aviation industry, such “drivers” are referred to as hazards.9 It should be recognized that SDG&E does not believe incidents or accidents are caused by a single failure, but often are the culmination of both active errors and latent conditions aligning to create an incident or accident.10 SDG&E identified the following drivers that could lead to an incident or accident event.
Active Errors – An error can occur due to someone not doing something correctly, or in accordance with procedure or policies, even when the intent is to act in accordance with policy or procedure. The drivers that fall into this category are:
o Pilot error/inexperience o Inadequate pre-flight risk assessment
7 Testimony of Diana Day, Risk Management and Policy (SDG&E-02), submitted on November 14, 2014 in A.14-11-003. 8 An indication that a risk could occur. It does not reflect actual or threatened conditions. 9 International Civil Aviation Organization. Doc. 9859 Safety Management Manual (SMM). 2013. http://www.icao.int/safety/SafetyManagement/Documents/Doc.9859.3rd%20Edition.alltext.en.pdf.10 Civil Aviation Safety Authority of Australia. SMS for Aviation—A Practical Guide. 2nd Edition. 2014 Pg14 https://www.casa.gov.au/sites/g/files/net351/f/_assets/main/sms/download/2014-sms-book1-safety-management-system-basics.pdf.
Page SDGE 11-6 310073
o Field error/inexperience o Intrusion into incorrect airspace o Improper software install o Disgruntled individual or terrorist attack o Malicious third-party software
Latent Conditions – A failure of programs/procedures intended to maintain safe flight or operation, yet creates conditions that lead directly to failure. Often these lead to non-regulation “workarounds” or “shortcuts” that can create unsafe environments, and in which active errors create incidents. The drivers that fall into this category are:
o Incorrect policy or procedure o Lack of oversight, complacency o Normalization of deviance o Inclement Weather (Winds, Rain)
Hardware Failure (Asset Failure, IT Failure) – A failure of the hardware from any elements in the UAS that contributes to normal flight operations. The drivers that fall into this category are:
o Aircraft or other equipment failure o Improper software install o Malicious third-party software o GPS lock failure or software malfunction o Radio interference with the vehicle
Table 2 maps the specific drivers of UAS Incident to SDG&E’s risk taxonomy.
Table 2: Risk Drivers
Driver Category UAS Incident Driver(s)
Asset Failure Aircraft or other equipment failure
Asset-Related Information Technology Failure
Improper software install Malicious third-party software GPS lock failure or software malfunction
Employee Incident
Pilot error/inexperience Inadequate pre-flight risk assessment Field error/inexperience Intrusion into incorrect airspace Improper software install Incorrect policy or procedure Lack of oversight, complacency Normalization of deviance
Page SDGE 11-7 310073
Contractor Incident
Pilot error/inexperience Inadequate pre-flight risk assessment Field error/inexperience Intrusion into incorrect airspace Improper software install Incorrect policy or procedure Lack of oversight, complacency Normalization of deviance
Public Incident
Disgruntled individual or terrorist attack Malicious third-party software Pilot error/inexperience Inadequate pre-flight risk assessment Field error/inexperience Intrusion into incorrect airspace
Force of Nature Radio interference with the vehicle Inclement Weather (Winds, Rain)
Failure rates in the Unmanned Aircraft industry are relatively unknown; however, there are extensive similarities between manned and unmanned failure rates with respect to pilot error and systematic failures in procedures and policies. Given the “new” nature of the hardware and software, as well as the continued failures in organizational management for UAS operations, SDG&E assumed risks associated with failures in communication (pilot error), degradation of situational awareness (pilot error) and improper risk-assessment (pilot error), will continue to attribute to over 90% of all incidents or accidents.11 By understanding that human error (pilot error) is the leading cause of a large majority of all aviation accidents and incidents, SDG&E’s prime mitigation strategy likewise addresses these failures.
Exemptions should also be made to understand that, in lieu of airworthiness certification, hardware and software failures may be more common in UAS than manned aircraft.
3.3 Potential Consequences The above drivers/hazards exist in all aviation oriented operations, and it is up to employees/contractors to develop proper mitigation strategies to eliminate incidents or accidents. The “Swiss-Cheese Model” of Aircraft Accident Causation illustrates that many layers of defense can be instituted to prevent these hazards from manifesting incidents or accidents. This model of accident causation and mitigation can be seen in Figure 1 below. The model, widely accepted as industry best practice in the aviation industry, is the foundation for a robust Safety Management System. It provides that “although many layers of defense lie between hazards and accidents, there are flaws in each layer that, if aligned, can allow
11 Hansen, Frederick. Human Error: A Concept Analysis. Journal of Air Transportation. Pg 2 http://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20070022530.pdf.
Page SDGE 11-8 310073
accidents to occur.” The overall system produces failures when a hole in each slice (a slice representing mitigation attempts such as policies, procedures, IT security, training, redundant systems, etc.) momentarily aligns, permitting “a trajectory of accident opportunity.” When multiple layers of the mitigation fail, the incident or opportunity for accident can manifest an accident.12
The goal is to identify these gaps in mitigations, before they manifest accidents, proactively through hazard (driver) identification, documentation, and education. Understanding that latent conditions often lead to active errors, it is important to create policies and procedures that evaluate and monitor all aspects of the operation for appropriateness. Monitoring incidents of pilot error and ensuring proper training is driven by these problems, helps fill these “holes” in the various mitigation layers, and therefore protects against catastrophic accidents.
Figure 1: Swiss Cheese Model of Hazards and Losses
Conversely, if proper mitigations are not in place to reduce the likelihood of an event occurring, or the severity of the event is not diminished to a satisfactory result, then the following potential consequences, in a reasonable worst case scenario, could include:
Employee, customer, or non-involved public fatalities. SDG&E infrastructure damage leading to service interruption and outage. Minimal property damage to non-involved public. Operations disruption and/or loss of reputation. Violation of regulatory approval and investigation/audit by federal regulators or law enforcement. Costs associated with litigation or policy/procedural changes.
12 Daryl Raymond Smith; David Frazier; L W Reithmaier & James C Miller (2001). Controlling Pilot Error. McGraw-Hill Professional. p. 10. ISBN 0071373187.
Page SDGE 11-9 310073
These potential consequences were used in the scoring of UAS Incident that occurred during the SDG&E’s 2015 risk registry process. See Section 4 for more detail.
3.4 Risk Bow Tie The Risk “bow tie,” shown below, is a commonly-used tool for risk analysis that shows the relationship between hazard conditions and the potential result if an event were to occur. The left side of the bow tie illustrates potential drivers/hazards that lead to a risk event and the right side shows the potential consequences of a risk event. SDG&E applied this framework to identify and summarize the information provided above.
Figure 2: Risk Bow Tie
4 Risk Score
The SDG&E and SoCalGas ERM organization facilitated the 2015 risk registry process, which resulted in the inclusion of UAS Incident as one of the enterprise risks. During the development of the risk register, subject matter experts from SDG&E’s Electric Distribution Operations department assigned a score to this risk, based on empirical data to the extent it is available and/or using their expertise, following the process outlined in this section.
The resulting risk score was calculated in the interest of providing acceptable knowledge for mitigation strategies, prior to any incident or accident and in accordance with ASTM F-38 Draft Best Practices in
Page SDGE 11-10 310073
Operational Risk Assessment WK49619.13 This best approach for risk scoring is to analyze the severity of the potential outcome of a hazardous event, and the likelihood of that event occurring. This is calculated using both qualitative and quantitative methods using subject matter expertise, failure rates, and studies conducted in support of operations. Unfortunately, a lack of information is pervasive throughout the UAS industry, as is any cutting edge, new technology. Therefore, security and safety practices that may be more burdensome than necessary are required in the short-term. As operations become more standard, the known risks will be better understood and mitigation strategies may be less required. The risk score presented is based on a worst reasonable case scenario as identified by the Federal Aviation Administration (FAA), International Civil Aviation Organization (ICAO), and other stakeholders.
4.1 Risk Scenario – Reasonable Worst Case There are many possible ways in which an UAS incident can occur. For purposes of scoring this risk, subject matter experts used a reasonable worst case scenario to assess the impact and frequency. The scenario represented a hypothetical situation that could happen, within a reasonable timeframe, and lead to a relatively significant adverse outcome. These types of scenarios are sometimes referred to as low frequency, high consequence events. The subject matter experts selected a reasonable worst case scenario to develop a risk score for UAS Incident:
A UAS incident by contractors or internal employees from a collision with infrastructure, manned aircraft, or personnel on the ground that damages the electric transmission/distribution system, and/or causes a significant incident resulting in an employee and/or customer injury and/or death, and/or causes a major outage.
Note that the following narrative and scores are based on this scenario; they do not address all consequences that can happen if the risk occurs.
4.2 2015 Risk Assessment Using this scenario, subject matter experts then evaluated the frequency of occurrence and potential impact of the risk using SDG&E’s 7X7 Risk Evaluation Framework (REF). The framework (also called a matrix) includes criteria to assess levels of impact ranging from Insignificant to Catastrophic and levels of frequency ranging from Remote to Common. The 7X7 framework includes one or more criteria to distinguish one level from another. The Commission adopted the REF as a valid method to assess risks for purposes of this RAMP.14 Using the levels defined in the REF, the subject matter experts applied empirical data to the extent it is available and/or their expertise to determine a score for each of four residual impact areas and the frequency of occurrence of the risk.
13 ASTM International is an international standards organization that develops and publishes voluntary consensus technical standards for a wide range of materials, products, systems, and services. Based in the United States, it is the leading industry standards for UAS operations and airworthiness standards available. This standard in particular is under review for final publication. Industry best Practices are noted in the accompanying Advisory Circular for 14 CFR Part 107’s accompanying Advisory Circular (AC 107-2) Pg. 72. 14 D.16-08-018 Ordering Paragraph 9.
Page SDGE 11-11 310073
Table 3 provides a summary of the UAS Incident risk score in 2015. This risk has a score of 4 or above in the Health, Safety, and Environmental impact area and, therefore, was included in the RAMP. These are residual scores because they reflect the risk remaining after existing controls are in place. For additional information regarding the REF, please refer to the RAMP Risk Management Framework chapter within this Report.
Table 3: Risk Score
Residual Impact ResidualFrequency
ResidualRisk Score
Health, Safety, Environmental
(40%)
Operational & Reliability
(20%)
Regulatory,Legal,
Compliance (20%)
Financial
(20%) 6 4 3 4 2 7,380
In addition to the risk assessment performed as part of the ERM risk registry process, a risk assessment was also conducted for the UAS Incident risk in accordance with recently published AC 107-2 by the FAA, which denotes appropriate severity and likelihood criteria for UAS.15 This alternative risk assessment produced comparable results to that of SDG&E’s ERM risk evaluation; thereby validating the results of both. The results of the industry best practices/FAA guidance assessment determined that some of the baseline mitigations should be adapted.16 Largely, this is due to the catastrophic nature of an accident leading to one or more fatalities. Only collisions between manned and unmanned aircraft have been document accurately in the military, and in those cases damage was incurred, but no loss of life. Overall, a comprehensive risk analysis was completed for SDG&E’s UAS Incident risk.
4.3 Explanation of Health, Safety, and Environmental ScoreBased on the scenario of a UAS incident which damages any SDG&E infrastructure (including electric transmission/distribution), causes injury and/or death, and/or causes a major outage in service, it is anticipated that such an incident could result in a few fatalities and/or life threatening injuries to those in the air and on the ground. Many mid-air collisions between manned aircraft have resulted in complete losses of aircraft, both rotor and fixed-wing. Likewise, complete loss of aircraft has been well documented when manned aircraft ingest medium to large sized birds (roughly the same weight category
15 US Department of Transportation, Federal Aviation Administration. Advisory Circular 107-2. Small Unmanned Aircraft Systems. June, 21 2016. Pg. 42 http://www.faa.gov/uas/media/AC_107-2_AFS-1_Signed.pdf.16 It is the belief of the SME involved with risk mitigation for UAS activities that all “yellow” outcomes (as noted in Table 6) should be considered to require mitigations, at least at the policy and procedure level. Any efforts made to diminish the severity or likelihood of either “catastrophic” or “frequent” should be considered, which is in line with FAA recommendations in AC 107-2 Pg A-5 and A-6. This recommendation is backed up by FAA recommendations in AC 107-2.
Page SDGE 11-12 310073
as the UAS in use by SDG&E) into engines.17 UAS often resemble the size, shape, and density of medium sized birds, and the long-term study is still being undertaken through academic and industry partnerships.18 These accidents are the main focus of safety requirements taken into consideration by SDG&E in motivating mitigations related to the reasonable worst case scenario. These are also the main justifications for new regulations, as yet unpublished, by the FAA to enable safe use for commercial operations, while limiting proliferation in an unsafe manner.
Accordingly, SDG&E scored the severity of the UAS incident risk a 6 (severe) in the Health, Safety, and Environmental impact area, because of its potential for loss of life. A 7 (catastrophic), resulting in many fatalities, did not seem reasonable because SDG&E assumed that the multi-passenger plane would be small in nature, rather than a commercial aircraft that holds hundreds of passengers.
4.4 Explanation of Other Impact Scores In addition to the Health, Safety and Environmental impacts, based on the selected reasonable worst case scenario, SDG&E also analyzed the following consequences of a UAS incident or accident:
Operational and Reliability: If the aircraft were to strike power support structures, individuals on the ground, or other important infrastructure, then operational reliability and consistency may be interrupted. The severity would be centralized in location. The only major impact would be to the UAS program at SDG&E, which would be grounded indefinitely until a full investigation by NTSB, FAA, and SDG&E could be concluded. Therefore, a score of 4 (major) was provided, given that such an incident could result in more than 10,000 customers being affected, impacts to a single critical location, or disruption of service greater than one day.Regulatory, Legal, and Compliance: UAS Incident was scored at a 3 (moderate), as it was determined using empirical data to the extent it is available and/or subject matter expertise that there would be moderate regulatory consequences with respect to an UAS accident which has failed operationally and led to a mid-air collision. The legal issues associated with this risk scenario would primarily focus on civil lawsuits, and operational violations that led to a collision with the manned aircraft. Indirect costs of such a collision would be very high, and are difficult to ascertain ahead of time.Financial: UAS incident or accident in this risk scenario would likely be moderate to high, but not “very high,” and therefore rated as 4 (major), which is defined in SDG&E’s 7X7 matrix as between $10 to $100 million. Largely the costs would be potential litigation, costs associated with remediation and potential upgrades to the UAS program, training programs, and potential policy/procedure changes. Wrongful death suits, liability, etc. are often results of aviation accidents.19 The overall costs would largely be a function of the type of aircraft lost as it will
17 Donahue, Pete. How Often do Birds Cause Plane Crashes? January 16, 2009. http://www.nydailynews.com/new-york/birds-plane-crashes-article-1.361189.18 https://polytechnic.k-state.edu/aviation/uas/research.html. 19 Scuffham, P.; Chalmers, D.; O’Hare, D.; Wilson, E.; Direct and indirect Cost of General Aviation Crashes. Aviation Space Environment Medicine. September 2002 Pg. 851-858 http://www.ncbi.nlm.nih.gov/pubmed/12234034.
Page SDGE 11-13 310073
define the number of passengers. As SDG&E operations do not come in contact with large passenger jets, the fatalities are most likely to be between 1 – 4 passengers.
4.5 Explanation of Frequency Score With relation to the frequency of such an event occurring, there have been no documented cases of a UAS striking a manned aircraft in the non-military sector. The only military mid-air collisions led to significant damage to the manned aircraft, and no injuries or loss to passengers, or crew. While the aircraft may enter into an uncontrollable situation due to communications interference, software bugs, or battery misuse, onboard technologies such as “Return to Home” and Low Battery warnings already provide some risk mitigation. However, given that the use of UAS are increasing, the risk of a UAS-related incident occurring is also increasing. Given this, SDG&E scored this risk a 2 (rare), estimated to occur once every 30-100 years.
5 Baseline Risk Mitigation Plan20
As stated above, this risk involves an employee, contractor, subcontractor, third party or parties, or external entities, operating a UAS which results in damage to SDG&E infrastructure. The 2015 baseline mitigations discussed below includes the current evolution of the utilities’ risk management of this risk. The baseline mitigations include the amount to comply with laws that were in effect at that time.
In 2015, SDG&E was in the early stages of its UAS operations and risk mitigation, especially given that this is relatively new and emerging technology. The 2015 controls were primarily in a research and development stage, and had not been formalized. Many of the 2015 mitigations relied on industry best practices. Since then, as of January 1, 2016, the ASD department took responsibility of SDG&E’s UAS operations and developed formal mitigation activities, discussed in Section 6. Each of the mitigation activities in place in 2015 are described below. The controls were implemented to improve or maintain safety by enacting policies or procedures that reduce the likelihood of an event occurring.
These controls focus on safety-related impacts21 (i.e., Health, Safety, and Environment) per guidance provided by the Commission in D.16-08-01822 as well as controls and mitigations that may address reliability.23 Accordingly, the controls and mitigations described in Sections 5 and 6 address safety-related impacts primarily. Note that the controls and mitigations in the baseline and proposed plans are intended to address various UAS-related events, not just the scenario used for purposes of risk scoring.
20 As of 2015, which is the base year for purposes of this Report. 21 The Baseline and Proposed Risk Mitigation Plans may include mandated, compliance-driven mitigations. 22 D.16-08-018 at p. 146 states “Overall, the utility should show how it will use its expertise and budget to improve its safety record” and the goal is to “make California safer by identifying the mitigations that can optimize safety.” 23 Reliability typically has an impact on safety. Accordingly, it is difficult to separate reliability and safety.
Page SDGE 11-14 310073
1. UAS Weight Limitations
SDG&E restricted the acquisition of any UAS with a weight in excess of 55 pounds to lessen the severity of an aircraft accident. Additionally, flight operations in populated areas were restricted to micro UAS only. This is a requirement of 14 CFR Part 107.
2. Pilot in Command (PIC) Experience and Training Requirements
FAA regulations mandated PICs to have been licensed recreational pilots in order to operate a commercial UAS. An FAA licensed pilot has a certain level of aeronautical knowledge, experience, and demonstrated competency that increased the level of safety when operating UASs.
3. UAS Software and Hardware Checked Prior to Flight
For this best practice, SDG&E systematically checked UAS software and hardware for latest upgrades to check the reliability of equipment.
4. Flights Not Conducted Near Aircraft, People or Within Five Miles of an Airport Without Air Traffic Control (ATC) Permission
SDG&E UAS maintained 500 feet from the general public and private property, and suspended flight operations whenever manned aircraft entered within the vicinity of the flight area in accordance with 14 CFR part 107. Additionally, missions within controlled airspace were de-conflicted with local ATC to avoid possible mid-air collisions with manned aircraft.
5. Complied with State and Federal UAS Regulations
SDG&E monitored state and federal rules and regulations concerning UAS and proactively provided guidance to protect Company assets.
While the current level of risk is managed through regulatory compliance, informal training, and hardware management by ASD supervision and approvals, operations continue to expand, improve, and the complexities develop along with it. Therefore, the following characteristics and needs are clear:
The inherent level of the identified risk is minimal due to the current size of operations, and the extremely low likelihood of a catastrophic event.The risk associated with less severe events occurring – such as a collision with a transmission wire or person on the ground, damaging the system or injuring a person – may be much higher than a catastrophic event and, therefore, continued development of training, codifications, oversight, and hardware must be more defined. The likelihood of less severe, but still costly, events occurring is quite high as UAS tend to fail at a much higher rate than manned aviation, due to a lack of airworthiness certification, immaturity in the designs and testing of components, and a lack of direct oversight in the materials and production of systems. As such, SDG&E is proposing (as described in the subsequent section) to implement a Safety Management System (SMS). Performance information and flight data will
Page SDGE 11-15 310073
be better captured, analyzed, and understood, leading to programmatic changes that prevent failures. SMEs have been brought in from industries where leaders in the field of Operational Risk Assessment and Mitigation continue to examine operational examples and provide insight to overall risk exposure. Their insight will go directly to the development of mitigations codified in future SMS, AOM, and Training manuals. This is an ongoing effort, and one that requires continuous application in support of third-party input, audit, and inspection.
Input to the evaluation of baseline risk include industry wide reports on incident and accident data, best practices as published by the ASTM Industry Consensus Groups on AOM development, Batteries, Flight Operations, and Expertise, as developed at the University of Southern California Aviation Safety & Security Program.
Through maintaining operational oversight in the early project development of UAS operations, and creating training programs that are rooted in first-hand experience, safety protocols developed through lessons learned in manned and unmanned aviation, and codifying best practices from throughout the industry, SDG&E can integrate UAS operations into all facets of SDG&E’s mission safely. However, as these operations become more complex, diverse, and integrated, SDG&E will need to enhance the current operational support structure with a systematic safety approach (Safety Managements Systems), continued effort to promote cutting-edge technology adoption, and an increased use of experienced contractors for missions of greater complexity.
6 Proposed Risk Mitigation Plan
The 2015 baseline mitigations outlined in Section 5 will continue to be performed in the proposed plan, in most cases, to maintain the current residual risk level. In addition, SDG&E proposes new mitigations to further address the risk of UAS Incident. The baseline controls were focused on compliance with federal and state mandates and are now addressed through the UAS SMS and UAS Training Program for SDG&E Employees discussed below. The proposed plan focuses on codifying policies, procedures, and plans for the UAS program to continue to scale and operate in support of SDG&E activities.
The benefits associated with SDG&E’s proposed plan are many in applying, implementing, and evolving the operational framework envisioned for the UAS program. By adopting industry best practices that touch upon SMS, Crew Resource Management (CRM), and more advanced flight management controls, SDG&E will eliminate the communication errors involved with the majority of aviation accidents.24 It remains difficult to quantify accident rates in the aviation industry, however unmanned aircraft are prone to very specific incident drivers (hazards), including airworthiness or maintenance problems, situational-awareness reduction, human error due to lack of training or
24 Wiegmann, D. et. Al; Federal Aviation Administration. Human Error and General Aviation Accidents: A Comprehensive, Fine-Grained Analysis using HFACS. December 2005. https://www.faa.gov/data_research/research/med_humanfacs/oamtechreports/2000s/media/0524.pdf.
Page SDGE 11-16 310073
environmental knowledge, and problems of non-detailed communications. By adopting the measures above – especially in the codification of manuals, implementation of a robust SMS that captures hazards, analyzes them for risk, and mitigates risk before they become accidents – safety and security of the UAS program, and its tangential operations, will follow. The proposed activities, along with updates about other controls, are described in detail below.
1. UAS SMS
Developing a robust SMS program enables the support and expansion of UAS activity throughout SDG&E strategic operations. The FAA has identified SMS as the main enabling operational approach to aviation operations that provides succinct and successful operations. Without expanding the implementation of UAS operations through the incorporation of data processing, fleet management, and operational training for any and all operations, those operations will not realize the dramatic increase in safety.
According to subject matter experts, Safety Management Systems is the future of Unmanned Aircraft operations, and will likely be required by 2017 by the International Civil Aviation Organization, which FAA is required to follow.25 SDG&E will be positioned to avoid the risk of costly program overhaul when the proposed requirement becomes reality; it will avoid the need to change the procedures in place that often lead to residual and unidentified risk.
Among the required mitigations are pre-flight checklists, some form of management of flight operations and notice to the public, and a need to operate within the boundaries of regulatory approvals. Without clear procedures and policies, SDG&E will not be able to entrust flight operations to contractors and, therefore, cannot fulfill its obligations.
2. UAS Training Program for SDG&E Employees
Training and operational codifications provide the policy and procedure foundation upon which all operations must be based. It is estimated the training will require constant development in the early and middle phases of program development. The training program consists of an initial training manual for internal use of pilot development, continued training costs for currency and performance development, and case-by-case skills performance development. Training is the core element of the fourth pillar (Safety Promotion) of SMS, and therefore required in an on-going programmatic methodology that goes beyond that required by other operational core competencies of SDG&E.
25 Wolf, Harrison. AUVSI Presentation 2016 by Randy Willis, FAA ICAO Board Member. May 2016.
Page SDGE 11-17 310073
3. Contractor Qualification, Oversight and Audit Program
Auditing and third-party oversight and qualification is another portion of the Safety Assurance function within SMS, and is directly related to acquiring feedback and unbiased assessment of any aviation operation. As UAS operations are relatively new, getting unbiased assessment of the operational processes is vitally important and allows external input into an otherwise internal workflow. The FAA and ICAO have identified auditing and third-party inspection as a vital element of a healthy aviation organization. Audits require bringing in external companies for three to four days at a time to examine documentation of policies and procedures, data acquisition, and witness operations both announced and unannounced. The Wyvern Exact certification,26 Argus Prism certification,27 and IS-BAO IBAC standard certification,28 are all examples of possible certification of SMS that will provide insight, approval, and recognition, enabling UAS operations for SDG&E.
4. Flight Management Controls
As the use of UAS continue to grow within the SDG&E mission portfolio, and as a greater number of operations are approved and executed via contractors or internal pilots, fleet management software and support must be included to monitor, track, and maintain aircraft data. These systems come in a variety of software suites, and though the particular software and hardware platforms to use have not been selected, they cost about the same and their continued use is conducted on an enterprise cost structure that requires implantation and training. These fleet management software suites contribute to both the Safety Promotion and Safety Assurance capabilities of the program, and drive hazard identification, documentation, and policy development.
5. Research Best Use Cases for Specific Systems
Technology is rapidly changing and bringing in outside vendors and consultants is an important approach to ensuring that SDG&E includes the latest opportunities for safety, efficiency, and efficacy in its operations. Likewise, SDG&E identified participation in industry conferences and industry discussion groups – often hosted in Colorado, Northern California, Texas, and other areas – to help support SDG&E safety and technological applications for UAS.
7 Summary of Mitigations
4 summarizes the 2015 baseline risk mitigation plan, the risk driver(s) and control addresses, and the 2015 baseline costs for UAS Incident. While control or mitigation activities may address both risk
26 https://www.wyvernltd.com/exact-categories-infographic?__hssc=161114082.1.1475544766902&__hstc=161114082.f703e3685ccc957d60cc6d1de3a7ddd2.1475544766901.1475544766901.1475544766901.1&__hsfp=3477367523&hsCtaTracking=a0394b45-4984-4813-967a-32018365d36b%7C309c70ee-e94b-4f22-81bb-a253fb14e06b. 27 https://www.aviationresearch.com/PRISM2.aspx. 28 https://www.nbaa.org/admin/sms/is-bao/.
Page SDGE 11-18 310073
drivers and consequences, risk drivers link directly to the likelihood that a risk event will occur. Thus, risk drivers are specifically highlighted in the summary tables.
SDG&E does not account for and track costs by activity, but rather by cost center and capital budget code. So, the costs shown in Table 4 were estimated using assumptions provided by SMEs and available accounting data.
It should be noted that there were no recorded costs associated with these baseline activities in 2015 due to the emerging aspect of the controls. As the mitigation efforts and SDG&E’s UAS program improves and evolves, as outlined in the subsequent section describing SDG&E’s proposed plan, costs associated with such activities will be realized.
Page SDGE 11-19 310073
Table 4: 2015 Risk Mitigation Plan Overview (Direct 2015 $000)29
ID Control Risk Drivers Addressed Capital30 O&M Control
Total31GRC
Total32
1 UAS Weight Limitations*
Deconfliction, knowledge of all missions by ASD dispatch Limited operationalapprovals
n/a n/a $0 $0
2 Pilot in Command Experience and TrainingRequirements*
Pilot Error HardwareMalfunction TrainingProblems
n/a n/a 0 0
3 UAS Software and Hardware Checked Prior to Flight
HardwareMalfunction CommunicationIssuesHuman error
n/a n/a 0 0
4 Flights Not Conducted Near Aircraft or People or Within Five Miles of an Airport Without Air Traffic Control Permission*
Midair Collision Activity of aircraft in vicinity
n/a n/a 0 0
29 The figures provided in Tables 4 and 5 are direct charges and do not include Company overhead loaders, with the exception of vacation and sick. The costs are also in 2015 dollars and have not been escalated to 2016 amounts. 30 Pursuant to D.14-12-025 and D.16-08-018, the Company is providing the “baseline” costs associated with the current controls, which include the 2015 capital amounts. The 2015 mitigation capital amounts are for illustrative purposes only. Because projects generally span several years, considering only one year of capital may not represent the entire mitigation. 31 The Control Total column includes GRC items as well as any applicable non-GRC jurisdictional items. Non-GRC items may include those addressed in separate regulatory filings or under the jurisdiction of the Federal Energy Regulatory Commission (FERC). 32 The GRC Total column shows costs typically presented in a GRC.
Page SDGE 11-20 310073
ID Control Risk Drivers Addressed Capital30 O&M Control
Total31GRC
Total32
5 Complied with State and Federal UAS Regulations*
CommunicationIssuesSituationalAwarenessHuman Error
n/a n/a 0 0
TOTAL COST $0 $0 $0 $0
* Includes one or more mandated activities
Table 5 summarizes SDG&E’s proposed mitigation plan, associated projected ranges of estimated O&M expenses for 2019, and projected ranges of estimated capital costs for the years 2017-2019. It is important to note that SDG&E is identifying potential ranges of costs in this plan, and is not requesting funding approval. SDG&E will request approval of funding in its next GRC. There are non-CPUC jurisdictional mitigation activities addressed in RAMP; the costs associated with these will not be carried over to the GRC. As set forth in Table 5 the utilities are using a 2019 forecast provided in ranges based on 2015 dollars.
Page SDGE 11-21 310073
Table 5: Proposed Risk Mitigation Plan Overview33
(Direct 2015 $000)
ID Mitigation Risk Drivers Addressed
2017-2019Capital34
2019 O&M
MitigationTotal35
GRCTotal36
1 UAS SMS PilotError/InexperienceInadequate Pre-Flight Risk Assessment FieldError/InexperienceIntrusion Into Incorrect Airspace Improper Software InstallMalicious Third Party Software
n/a $50 - 80 $50 - 80 $50 – 80
2 UAS Training Program for SDG&EEmployees
PilotError/InexperienceInadequate pre-flight risk assessment FieldError/InexperienceImproper Software Install
n/a 16 - 23 16 - 23 16 - 23
3 ContractorQualification,Oversight and AuditProgram
PilotError/InexperienceInadequate Pre-Flight Risk Assessment FieldError/InexperienceIntrusion Into Incorrect Airspace
n/a 20 - 30 20 - 30 20 - 30
33 Ranges of costs rounded to the nearest $10,000. 34 The capital presented is the sum of the years 2017, 2018, and 2019 or a three-year total. Years 2017, 2018 and 2019 are the forecast years for SDG&E’s Test Year 2019 GRC Application. 35 The Mitigation Total column includes GRC items as well as any applicable non-GRC items. 36 The GRC Total column shows costs typically represented in a GRC.
Page SDGE 11-22 310073
4 FlightManagement Controls
Intrusion Into Incorrect Airspace
n/a 9 - 13 9 - 13 9 - 13
5 Research Best Use Cases for SpecificSystems as Technology Advances
PilotError/InexperienceInadequate Pre-Flight Risk Assessment FieldError/InexperienceIntrusion Into Incorrect Airspace Improper Software InstallMalicious Third Party Software
n/a 10 - 14 10 - 14 10 - 14
TOTALCOST
$0 $110 - 160 $110 - 160 $110 - 160
The costs presented in Table 5 were zero-based as these activities are all new or expanding. The subject matter experts utilized their knowledge of how much similar projects and programs cost to implement. The range is needed to provide flexibility as these are new activities involving an emerging technology.
1. UAS SMS
The costs associated with the development and implementation of a UAS SMS derived as a result of previous work and proposals for work by third-party vendors, and vetted through inter-industry discussions for appropriateness. It is estimated that accident and incident rates will drop in accordance with the above cited paper, leading to significant cost savings.
2. UAS Training Program for SDG&E Employees
The cost for a UAS Training Program for SDG&E Employees was forecasted based on vendor proposals and industry standard rates, as well as the number of hours for labor expected for SDG&E employees to implement the training.
- Status quo is maintained - Expanded or new activity
* Includes one or more mandated activities
Page SDGE 11-23 310073
3. Contractor Qualification, Oversight and Audit Program
As stated in Section 6, because UAS technology is emerging, obtaining an unbiased assessment of the operational processes is vitally important. The cost for this activity includes expert time and travel as well as the certification itself which will provide insight, approval, and recognition, enabling UAS operations for SDG&E.
4. Flight Management Controls
The costs shown above in Table 5 are based upon an industry survey of costs associated with the fleet management software. The software can range from about $6,000 to $18,000 per year.
5. Research Best Use Cases for Specific Systems as Technology Advances
The costs associated with this mitigation include bringing in outside vendors and consultants as well as SDG&E employees participating in various industry conferences. These costs can vary depending on the consultant selected and/or the conference attended. Nonetheless, the basic cost established for conference participation via AUVSI XPONENTIAL 2016 was about $1,400 per person. Including conference participation, industry consultants, and technological trials, the cost of maintaining future oriented solutions all contributed to the forecasted costs.
8 Risk Spend Efficiency
Pursuant to D.16-08-018, the utilities are required in this Report to “explicitly include a calculation of risk reduction and a ranking of mitigations based on risk reduction per dollar spent.”37 For the purposes of this Section, Risk Spend Efficiency (RSE) is a ratio developed to quantify and compare the effectiveness of a mitigation at reducing risk to other mitigations for the same risk. It is synonymous with “risk reduction per dollar spent” required in D.16-08-018.38
As discussed in greater detail in the RAMP Approach chapter within this Report, to calculate the RSE the Company first quantified the amount of Risk Reduction attributable to a mitigation, then applied the Risk Reduction to the Mitigation Costs (discussed in Section 7). The Company applied this calculation to each of the mitigations or mitigation groupings, then ranked the proposed mitigations in accordance with the RSE result.
8.1 General Overview of Risk Spend Efficiency MethodologyThis subsection describes, in general terms, the methods used to quantify the Risk Reduction. The quantification process was intended to accommodate the variety of mitigations and accessibility to applicable data pertinent to calculating risk reductions. Importantly, it should be noted that the analysis
37 D.16-08-018 Ordering Paragraph 8. 38 D.14-12-025 also refers to this as “estimated mitigation costs in relation to risk mitigation benefits.
Page SDGE 11-24 310073
described in this chapter uses ranges of estimates of costs, risk scores and RSE. Given the newness of RAMP and its associated requirements, the level of precision in the numbers and figures cannot and should not be assumed.
8.1.1 Calculating Risk Reduction The Company’s SMEs followed these steps to calculate the Risk Reduction for each mitigation:
1. Group mitigations for analysis: The Company “grouped” the proposed mitigations in one of three ways in order to determine the risk reduction: (1) Use the same groupings as shown in the Proposed Risk Mitigation Plan; (2) Group the mitigations by current controls or future mitigations, and similarities in potential drivers, potential consequences, assets, or dependencies (e.g., purchase of software and training on the software); or (3) Analyze the proposed mitigations as one group (i.e., to cover a range of activities associated with the risk).
2. Identify mitigation groupings as either current controls or incremental mitigations: TheCompany identified the groupings by either current controls, which refer to controls that are already in place, or incremental mitigations, which refer to significantly new or expanded mitigations.
3. Identify a methodology to quantify the impact of each mitigation grouping: The Company identified the most pertinent methodology to quantify the potential risk reduction resulting from a mitigation grouping’s impact by considering a spectrum of data, including empirical data to the extent available, supplemented with the knowledge and experience of subject matter experts. Sources of data included existing Company data and studies, outputs from data modeling, industry studies, and other third-party data and research.
4. Calculate the risk reduction (change in the risk score): Using the methodology in Step 3, the Company determined the change in the risk score by using one of the following two approaches to calculate a Potential Risk Score: (1) for current controls, a Potential Risk Score was calculated that represents the increased risk score if the current control was not in place; (2) for incremental mitigations, a Potential Risk Score was calculated that represents the new risk score if the incremental mitigation is put into place. Next, the Company calculated the risk reduction by taking the residual risk score (See Table 3 in this chapter.) and subtracting the Potential Risk Score. For current controls, the analysis assesses how much the risk might increase (i.e., what the potential risk score would be) if that control was removed.39 For incremental mitigations, the analysis assesses the anticipated reduction of the risk if the new mitigations are implemented. The change in risk score is the risk reduction attributable to each mitigation.
8.1.2 Calculating Risk Spend EfficiencyThe Company SMEs then incorporated the mitigation costs from Section 7. They multiplied the risk reduction developed in subsection 8.1.1 by the number of years of risk reduction expected to be realized by the expenditure, and divided it by the total expenditure on the mitigation (capital and O&M). The
39 For purposes of this analysis, the risk event used is the reasonable worst case scenario, described in the Risk Information section of this chapter.
Page SDGE 11-25 310073
result is a ratio of risk reduction per dollar, or RSE. This number can be used to measure the relative efficiency of each mitigation to another. Figure 3 shows the RSE calculation.
Figure 3: Formula for Calculating RSE
The RSE is presented in this Report as a range, bounded by the low and high cost estimates shown in Table 5 of this chapter. The resulting RSE scores, in units of risk reduction per dollar, can be used to compare mitigations within a risk, as is shown for each risk in this Report.
8.2 Risk Spend Efficiency Applied to This Risk SDG&E analysts used the general approach discussed in Section 8.1, above, in order to assess the RSE for the UAS risk. The RAMP Approach chapter in this Report provides a more detailed example of the calculation used by the Company.
The mitigations consisted of six proposed projects that were organized into one grouping for analysis: an effective UAS safety program. The grouping included:
(a) Effective UAS Safety Program (SMS, asset improvements, public information)
UAS SMS UAS Training Program Contractor qualifications, oversight, audit Flight management controls, software Research drone tech upgrade/replacements UAS privacy policy/public awareness
Effective UAS Safety Program
This incremental mitigation consists of an SMS program, various training, qualifications, oversight, and audits, software and technology, and public awareness. SDG&E’s SMEs determined that because there have been no UAS incidents that threatened anyone’s life, either in the company or within the industry, research could not indicate the effectiveness of the mitigations at reducing risk. Therefore, the team decided with an effective UAS safety program, the likelihood of a UAS incident involving fatalities would move from a current score of 2 to a score of 1 on SDG&E’s 7x7 risk matrix, equivalent to one incident in greater than 100 years.
Page SDGE 11-26 310073
8.3 Risk Spend Efficiency Results Based on the foregoing analysis, SDG&E calculated the RSE ratio for the proposed mitigation grouping. Figure 4 displays the range40 of RSEs for the SDG&E UAS risk mitigation grouping.41
Figure 4: Risk Spend Efficiency
9 Alternatives Analysis
SDG&E considered alternatives when developing its proposed plan to address this UAS incident risk. These alternatives were dismissed in favor of SDG&E’s proposed plan for the reasons described below.
9.1 Alternative 1 – Increase Contractor ResponsibilityThe first alternative considered was to allow contractors to have full oversight of mission, safety, operations, and decision making in both strategic and tactical approach. Some entities within the inspection industry (particularly flare stack inspections and solar panels) rely solely on contractors. In
40 Based on the low and high cost ranges provided in Table 5 of this chapter. 41 It is important to note that the risk mitigation prioritization shown in this Report, is not comparable across other risks in this Report.
Page SDGE 11-27 310073
this case the application and use of UAS contractors is minimal, as the assets managed are in fewer locations, away from population centers (generally), and therefore offer less risk to organizations than SDG&E. SDG&E would provide tasking to the various contractors, and they would manage their assets, personnel, and application of technology use, in support of those tasks.
The number of operations, the diversity of application, the rapid nature of technology development, as well as the need to standardize and communicate information across all aviation activities, both internally and externally to SDG&E, require a centralized operational risk management scheme. The first alternative puts too much control and oversight with contractors who may operate beyond the oversight and safety expectations of SDG&E. Ultimately, the risk is not reduced, but is simply passed on to a contractor with less personal or reputational risk than SDG&E, and therefore likely to approach the overall mission differently. Further, with no centralized safety mechanisms, coordination between entities is more difficult. As contractors differ in their approach to operations, SDG&E would be placed in a position of constant vigilance over their operations, rather than to act in a proactive top down approach, which increases safety directly. SMS is known to decrease loss and provide extremely high Return on Investment. In a 2011 study, incidents and accidents were directly diminished, and therefore both reputational, financial, and physical damage reduced in the aviation industry participants that implemented SMS.42
9.2 Alternative 2 – Continue In-House and Contractor Engagement The second alternative is to move forward with both in-house and contractor UAS engagement, without a robust safety oversight approach. This would not require training and application of SMS systems that are consistent with ICAO and FAA frameworks. This could be considered a status quo option, as the program is developing, moving forward, and intending to operate in support of SDG&E. However, this also increases the likelihood that risks are not managed to the highest industry consensus standards, and exposes the operation and important state assets to considerable physical and non-physical risk.
While contractor engagement may be a part of the SDG&E UAS strategy, the risk management, leadership, and promotion of lessons learned will be the responsibility of SDG&E leadership. The fundamental difference is that SMS diminishes organizational drift, reduces the normalization of deviance, and ultimately decreases the likelihood of incidents and accidents. It is fundamentally important to approach safety from a top down approach that meets and exceeds all industry best practices of which SMS is one. By not approaching UAS operations with a safety focus that embodies the direction that FAA and ICAO envision moving forward, SDG&E risks putting off investment costs until FAA/ICAO require SMS for UAS activities (estimated to be in 2019).43 While the investment costs could be required as early as 2019, the FAA is providing approvals and waivers to companies that illustrate a dedication to safety through the safety case approval process.44 As SDG&E seeks to expand
42 Center for Aviation Safety Research. Aviation Safety Management Systems Return on Investment Study. 2011. http://parks.slu.edu/myos/my-uploads/2013/01/03/aviation-safety-management-systems-roi-study.pdf. 43 Interview with Randy Wyllis – FAA Representative to ICAO. AUVSI XPONENTIAL 2016 New Orleans, LA. 44 https://www.faa.gov/uas/request_waiver/.
Page SDGE 11-28 310073
UAS activities into higher risk environments, or operations Beyond Visual Line of Sight, a demonstrated success in SMS will diminish risk to a satisfactory level to enable those operations.